Sondra, you already found a related question, but the highest scoring answer doesn’t do justice to your questions, in my opinion.
Let me start with your last question: What is the likelihood that a forged phishing email which SPF SoftFails actually gets to someone’s inbox?
Huge! Combined with DMARC quarantine/reject policy and the receiving mailbox on Office 365, Outlook.com, Gmail, Yahoo or other major hoster, very unlikely.
Your first question: What are the advantages of a Fail over a Soft Fail SPF record.
As mentioned in your own research, a disadvantage will be that forwarded emails will be rejected unless the bounce address (return-path) is rewritten by the forwarder.
An advantage is the domain being better protected against spoofing, but only for the simplest of attempts.
As mentioned above, the caveat with SPF is that it checked against SMTP envelope sender, saved in the message header field Return-Path. An actual recipient will have no knowledge of this field, because most email clients will only present them with an other field, the header From. For example: I send an email with a header From: Satya@microsoft.com, but I use SpoofedYou@example.com as the envelope sender. Even though microsoft.com publishes a Fail SPF policy, it will not fail SPF because example.com does not publish an SPF record. The recipient will just see an email from Satya@microsoft.com.
This is where DMARC comes in. DMARC requires authentication alignment with the domain used in the From header, either for SPF or DKIM. Meaning the domain used in the envelope sender (Return-Path) and the header From: should share an organizational domain. DMARC only cares about PASS results for underlying authentication mechanisms (SPF or DKIM), so, for SPF in that respect ~all and -all are treated exactly the same.
Terry Zink has published multiple articles on DMARC, one of which:
Enhanced email protection with DKIM and DMARC in Office 365
There is a lot one could learn about SPF, DKIM and DMARC, which is beyond the scope of this answer. DMARC is not easy to implement nor flawless, but it does protect your domain against spoofing, much better than only SPF. Also, all depends on the receiving party and how they deal with SPF and DMARC (if at all).